From patchwork Mon Sep 2 09:41:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 48563 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9F01CD13CF for ; Mon, 2 Sep 2024 09:41:47 +0000 (UTC) Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) by mx.groups.io with SMTP id smtpd.web11.35076.1725270100780127164 for ; Mon, 02 Sep 2024 02:41:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=ey44ZCt2; spf=pass (domain: linaro.org, ip: 209.85.167.42, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-5353cd2fa28so5234225e87.3 for ; Mon, 02 Sep 2024 02:41:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725270099; x=1725874899; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VQwoDxqIRIJi0AYIdOfcFLU5Nuzb3U1rfIVwCdovSas=; b=ey44ZCt2JxtRv328sdYpeWYlq9n6Qo9FgeMboZGkvmweW5ynPlTZDNDVMeitEF8rNU obNkzBTwvttG0thnOdOYKBh+s6S2x7EXUOB6z+Y+0KLEN57mdO13PvdZwWAVNMhXM9K+ kefW1LmZichkbiefaX9+2tY6C5TG7RcUa06B37uz8YTZqr6aIWvguHn7TZpypaS9FjXK zLsa5y8EcbDJ6/FSPMasfPabXGl206bDhuID2B5MM3cCpph7lF0lvNMX2evadqraFauh aRdF49+HaFX3b7t+rSMGkJk5hjwTK6CQB07TDoJ1jx6+GvU4sMD94ZgPWa6uPhIkvoen yoxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725270099; x=1725874899; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VQwoDxqIRIJi0AYIdOfcFLU5Nuzb3U1rfIVwCdovSas=; b=gkof7nehvveu10xOycTITkLDJrPHgK7Pq8tCQNhnxV5gSl6NQII8vlH5cR3v9UXbJg jNTglymbXxlf8oSzVoTHUJRtyF+v8cS8AsoNKMvApyA1wNqhu28jAj6tiKU+CBdoOyNz 2o+tjxYaaUkGTlE1fHW+TFZh9P1FWhg9iGxwxwrh1RGfLsGhqAxN8rFPJf+y0CoAh1O2 SAEAAlvrUD5671YlXJFu079wSY5W24pdrukNDSnQg8XBAvjW4Gm4e5gZep+KXCG7Qk9T YJXuj9Jsx4248L79uZg0GthHrBJWrRBac5pIqrQLi4btjRIORUZc1BqE4GjuQmk220pS HL3A== X-Gm-Message-State: AOJu0Yy7Y8OzQrMP+Z39M/sKmuS9Kz+JNd2qnmCNUtE9vfVlVfNlP99z m8E0MHmkKBlRRlGtiJJmREcH1i1NmbOMKavOk11Vy+PzWQKJs2QTuLNXxBYi9nsyudTgE5zLz1Q Uc00= X-Google-Smtp-Source: AGHT+IFhQjnB5UAM+BIJl1YmxE11EV1mi9KT+dzWhleozXFhC+fippRmD74mz4IcRltaPD4ky/CIuw== X-Received: by 2002:a05:6512:224a:b0:52b:de5b:1b30 with SMTP id 2adb3069b0e04-53546ba09afmr7475520e87.44.1725270098436; Mon, 02 Sep 2024 02:41:38 -0700 (PDT) Received: from localhost.localdomain (87-100-245-199.bb.dnainternet.fi. [87.100.245.199]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5354084176bsm1528853e87.219.2024.09.02.02.41.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Sep 2024 02:41:37 -0700 (PDT) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: Erik Schilling , Mikko Rapeli Subject: [PATCH 1/3] systemd-tools: add recipe Date: Mon, 2 Sep 2024 12:41:15 +0300 Message-ID: <20240902094117.31156-2-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240902094117.31156-1-mikko.rapeli@linaro.org> References: <20240902094117.31156-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Sep 2024 09:41:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204065 From: Erik Schilling Provides systemd-tools-native recipe for ukify.py tooling. Avoids full systemd native build which is not needed. Signed-off-by: Mikko Rapeli --- .../systemd/systemd-tools_256.5.bb | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd-tools_256.5.bb diff --git a/meta/recipes-core/systemd/systemd-tools_256.5.bb b/meta/recipes-core/systemd/systemd-tools_256.5.bb new file mode 100644 index 0000000000..f2e419ffe0 --- /dev/null +++ b/meta/recipes-core/systemd/systemd-tools_256.5.bb @@ -0,0 +1,41 @@ +require systemd.inc +FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:" + +DEPENDS = " \ + intltool-native \ + libcap \ + util-linux \ + gperf-native \ + python3-jinja2-native \ + python3-pyelftools-native \ + python3-pefile \ +" + +inherit meson pkgconfig gettext + +MESON_TARGET = "ukify" + +# Helper variables to clarify locations. This mirrors the logic in systemd's +# build system. +rootprefix ?= "${root_prefix}" +rootlibdir ?= "${base_libdir}" +rootlibexecdir = "${rootprefix}/lib" + +EXTRA_OEMESON += "-Dnobody-user=nobody \ + -Dnobody-group=nogroup \ + -Drootlibdir=${rootlibdir} \ + -Drootprefix=${rootprefix} \ + -Ddefault-locale=C \ + -Dmode=release \ + -Dsystem-alloc-uid-min=101 \ + -Dsystem-uid-max=999 \ + -Dsystem-alloc-gid-min=101 \ + -Dsystem-gid-max=999 \ +" + +do_install() { + install -d ${D}${bindir}/ + install -m 0755 ${S}/src/ukify/ukify.py ${D}${bindir}/ukify +} + +BBCLASSEXTEND = "native" From patchwork Mon Sep 2 09:41:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 48562 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CABA1CA0ED3 for ; Mon, 2 Sep 2024 09:41:47 +0000 (UTC) Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by mx.groups.io with SMTP id smtpd.web10.34971.1725270104987702366 for ; Mon, 02 Sep 2024 02:41:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=NXNykWbl; spf=pass (domain: linaro.org, ip: 209.85.167.44, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-53436e04447so4177777e87.1 for ; Mon, 02 Sep 2024 02:41:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725270103; x=1725874903; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T0xLsfawRyeMZ8dp7aiTKQelRguErRxZI20nl+pSDoI=; b=NXNykWblLo7qA+UZiI4m4U49813QAYMckVFR2ZPqjaBe74AVE/LXjmRy0SSD07GfM5 8gTpPjW4pikdkeDjPytIrK2R4hA9dBBp3pD6ULZxnuNhbqpO/UD4fo3HMCgCmsXiM4sV 9tCXRg4Kz/K8gmyCI0aGv6wHmTd4mg2YKyCOMPfeAYWjC0G4n4nAwxEFqukLzzT38Z7o 6Zz5yIUjfSHicJZ9ZZYeMT9y3cLJXNjAcLtNSPQ412RGgVO3AYAP2FjFHfTd7np1CmnW +fDKJL8UmwKOAtguK9HzQiivGTq7LlcUFYvH3gWRfN/DV0m4LgvPICJHXZbKH0ZIJGuB riyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725270103; x=1725874903; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T0xLsfawRyeMZ8dp7aiTKQelRguErRxZI20nl+pSDoI=; b=IFgf6twaW5kN63T6q7/VbuSPIDyO1GQx15w1p0FjkDSx/XqWM6rTGrgVsAvqLhaMzj wVVeK8DpShwiWX0hmgOU/IR91x9FYkurZTBy1h0+6Qahp+RMv+2iy4zIyKflCmCM7Q8G h9vzupuYwJPLIkP5n/r6WEwsHanpgCOKkTFf6H2qFeGa8HYcYBdFCmPxrKyhu6tFNw0j ZDLUrHSPUQNNoPy1mSCLNYyQ+Vruj3ZVWPZCz4UWz+FjAi5EebVAB4IcBo+oB9J64EHZ c1ZUtkmre7okVEuidIUxd64WW3dS8tUVtgTFYYYC4l5JHx9kDP6Miv4d+fY/6oLse/gG L2BA== X-Gm-Message-State: AOJu0YzsTLNqJxHiyDWFWdSyACq6fy+K2TbmlONrdNk1pv5sqy8vU2tF K6XfaQP6AuvgyuDMGyTmU+uueQjal/6CLM+1tjvkPEMbYVOYVvytYCqXldWyGYMfcA1e7zXTumm Gi9A= X-Google-Smtp-Source: AGHT+IF4+FcBIM5jMzxGTiljSzic0YFbgtHqzWjckKnmv+JeqB7LFSwPOptwDu3yQ3nvl6r03TEbkA== X-Received: by 2002:a05:6512:3049:b0:533:4191:fa4a with SMTP id 2adb3069b0e04-5353ebb9866mr4446079e87.15.1725270102543; Mon, 02 Sep 2024 02:41:42 -0700 (PDT) Received: from localhost.localdomain (87-100-245-199.bb.dnainternet.fi. [87.100.245.199]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5354084176bsm1528853e87.219.2024.09.02.02.41.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Sep 2024 02:41:42 -0700 (PDT) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: Mikko Rapeli Subject: [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS Date: Mon, 2 Sep 2024 12:41:16 +0300 Message-ID: <20240902094117.31156-3-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240902094117.31156-1-mikko.rapeli@linaro.org> References: <20240902094117.31156-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Sep 2024 09:41:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204066 Needed by systemd-tools-native Signed-off-by: Mikko Rapeli --- meta/conf/bitbake.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf index d8252c5b82..a8c630e7f8 100644 --- a/meta/conf/bitbake.conf +++ b/meta/conf/bitbake.conf @@ -511,7 +511,7 @@ HOSTTOOLS_DIR = "${TMPDIR}/hosttools" HOSTTOOLS += " \ [ ar as awk basename bash bunzip2 bzip2 cat chgrp chmod chown chrpath cmp comm cp cpio \ cpp cut date dd diff diffstat dirname du echo egrep env expand expr false \ - fgrep file find flock g++ gawk gcc getconf getopt git grep gunzip gzip \ + fgrep file find flock g++ gawk getent gcc getconf getopt git grep gunzip gzip \ head hostname iconv id install ld ldd ln ls lz4c make md5sum mkdir mkfifo mknod \ mktemp mv nm objcopy objdump od patch perl pr printf pwd \ python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \ From patchwork Mon Sep 2 09:41:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 48564 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CEF1BCD13CF for ; Mon, 2 Sep 2024 09:41:57 +0000 (UTC) Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com [209.85.208.177]) by mx.groups.io with SMTP id smtpd.web11.35079.1725270109782194246 for ; Mon, 02 Sep 2024 02:41:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=NdPstC4K; spf=pass (domain: linaro.org, ip: 209.85.208.177, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lj1-f177.google.com with SMTP id 38308e7fff4ca-2f3f25a1713so46745281fa.2 for ; Mon, 02 Sep 2024 02:41:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725270108; x=1725874908; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vGZkmSybxjWwHEzMQmozhYo1xhIaXV5MkofSKp7APfo=; b=NdPstC4Kpgl0sD6o0G9ve9lqrhg+eXh5erPKtn1XvLm3XMxkoDqr82K2xk+16hV3LU omwftRLO6VAmaj4ixBGGq6+OcoKM0BS6skLz+WlO4gVU0hHk3/otB7xLv65F6w/KyP48 mkDKBLjEK0+oqc3xr7mVCFDsKmdhzZMZPYWtwJ0rzxgLcPcHE2hYYB98/29ZJH4Tc4rU ARimVpSgXnzgh8bVvnJVSJjor8/Ck52sr/xa/fp3aVV/7xlkyKUyqKbnYjrZbLIcjLKv /bwomLmAHkxJUOnLKzkXGjnInqzU0C+kyJCgLUtUpTCWf1HcZ6sEJFuOHFpjpGXSvQL6 X//g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725270108; x=1725874908; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vGZkmSybxjWwHEzMQmozhYo1xhIaXV5MkofSKp7APfo=; b=AQWtdeY9SlnOAmIyu9fUPV58kaDFgnUfoicEBssTUhKaPPQ+T0Yq6xPWogfmhpqmsb KBkwTC++xxsbwZoWTgsTcUEZ8unfKssaY5DrlMqdMvRG+g17auHudE4YSS2bEvZOfC3s 0WbiabJcfrFw591B15WccycAeHiUsKnjS3nhiBlkvWqKf1hful/+4U5rHTBI8WdlnyhZ 0OhHbayfdxfAJ3OGYomfF5WhwWxZLR5bufrpa7LRadraZmDdSmv69xFux5tH67/3z54V bCW/Dl31q/H2itkUu5062Qm5CbLNUEtCFGPgXbmsDCZz3KhGFD5kFZqOBJr2mC7IFeKL eSpA== X-Gm-Message-State: AOJu0YxqG6EFrGc4qS2JhKUh10PNPL270SPePWqYpQoPaKz3DV1Xci/x skJwo+Jcx08LDZj8YzwlUNoGBX/8O4gJMzu5IxE280hHUdqqwYJjpHTLLZXnGrDiYo8cRUVN063 Recw= X-Google-Smtp-Source: AGHT+IFS8/x60ppbL0E53zoYpZDCKUY6ReKadN+oTSrvNYd60ayz8t38ENtcKIn9UAGDikZuRjFx4Q== X-Received: by 2002:a05:6512:1043:b0:52b:bf8e:ffea with SMTP id 2adb3069b0e04-53546b93f60mr6230890e87.40.1725270107185; Mon, 02 Sep 2024 02:41:47 -0700 (PDT) Received: from localhost.localdomain (87-100-245-199.bb.dnainternet.fi. [87.100.245.199]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5354084176bsm1528853e87.219.2024.09.02.02.41.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Sep 2024 02:41:46 -0700 (PDT) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: Michelle Lin , Erik Schilling , Mikko Rapeli Subject: [PATCH 3/3] uki.bbclass: add class for building Unified Kernel Images (UKI) Date: Mon, 2 Sep 2024 12:41:17 +0300 Message-ID: <20240902094117.31156-4-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240902094117.31156-1-mikko.rapeli@linaro.org> References: <20240902094117.31156-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Sep 2024 09:41:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204067 From: Michelle Lin This class calls systemd ukify tool, which will combine kernel/initrd/stub components to build the UKI. To sign the UKI (i.e. SecureBoot), the keys/cert files can be specified in a configuration file or UEFI binary signing can be done via separate steps, see qemuarm64-secureboot in meta-arm. UKIs are loaded by UEFI firmware on target which can improve security by loading only correctly signed kernel, initrd and kernel command line. Using systemd-measure to pre-calculate TPM PCR values and sign them is not supported since that requires a TPM device on the build host. Thus "ConditionSecurity=measured-uki" default from systemd 256 does not work but "ConditionSecurity=tpm2" in combination with secure boot will. These can be used to boot securely into systemd-boot, kernel, kernel command line and initrd which then securely mounts a read-only dm-verity /usr partition and creates a TPM encrypted read-write / rootfs. Tested via qemuarm64-secureboot in meta-arm with https://lists.yoctoproject.org/g/meta-arm/topic/patch_v3_02_13/108031399 and a few more changes needed, will be posted separately. Signed-off-by: Michelle Lin Cc: Erik Schilling Signed-off-by: Mikko Rapeli Acked-by: Erik Schilling --- meta/classes-recipe/uki.bbclass | 158 ++++++++++++++++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 meta/classes-recipe/uki.bbclass diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass new file mode 100644 index 0000000000..472eb476a0 --- /dev/null +++ b/meta/classes-recipe/uki.bbclass @@ -0,0 +1,158 @@ +# Unified kernel image (UKI) class +# +# This bbclass merges kernel, initrd etc as a UKI standard UEFI binary, +# to be loaded with UEFI firmware on target. SecureBoot signing is +# supported via add ons. TPM PCR pre-calculation is not supported since +# systemd-measure tooling is meant to run on target, not in cross compile +# environment. +# +# See: +# https://www.freedesktop.org/software/systemd/man/latest/ukify.html +# https://uapi-group.org/specifications/specs/unified_kernel_image/ +# +# The UKI is composed from +# - an UEFI stub +# The linux kernel can generate a UEFI stub, however the one from systemd-boot can fetch +# the command line from a separate section of the EFI application, avoiding the need to +# rebuild the kernel. +# - the kernel +# - an initramfs +# - other metadata (e.g. PCR measurements) +# +# Usage instructions: +# - requires UEFI compatible firmware on target, e.g. qemuarm64-secureboot from meta-arm +# - Distro config: +# INIT_MANAGER = "systemd" +# DISTRO_FEATURES += "systemd" +# DISTRO_FEATURES_NATIVE += "systemd" +# DISTRO_FEATURES += "efi" +# DISTRO_FEATURES += "uki" +# INITRAMFS_IMAGE ?= "core-image-minimal-initramfs" +# HOSTTOOLS += "getent ping" +# EFI_PROVIDER = "systemd-boot" +# - image recipe: +# INHERIT_UKI = "${@bb.utils.contains('DISTRO_FEATURES', 'uki', 'uki', '', d)}" +# inherit ${INHERIT_UKI} +# - qemuboot/runqemu changes in image recipe: +# # Detected by passing kernel parameter +# QB_KERNEL_ROOT = "" +# # kernel is in the image, should not be loaded separately +# QB_DEFAULT_KERNEL = "none" +# - for UEFI secure boot, systemd-boot, uki and linux kernel need +# to be signed with sbsign (recipe available from meta-secure-core, +# see also qemuarm64-secureboot from meta-arm) + +DEPENDS += "\ + systemd \ + systemd-boot \ + systemd-tools-native \ + virtual/${TARGET_PREFIX}binutils \ + virtual/kernel \ +" + +REQUIRED_DISTRO_FEATURES += "usrmerge systemd uki" + +inherit features_check image-artifact-names +require ../conf/image-uefi.conf + +INITRAMFS_IMAGE ?= "core-image-minimal-initramfs" + +INITRD_ARCHIVE ?= "${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES}" + +do_image_complete[depends] += "${INITRAMFS_IMAGE}:do_image_complete" + +UKIFY_CMD ?= "ukify build" +UKI_CONFIG_FILE ?= "${UNPACKDIR}/uki.conf" +UKI_FILENAME ?= "uki.efi" +UKI_CMDLINE ?= "rootwait root=/dev/vda2" + +IMAGE_EFI_BOOT_FILES ?= "${UKI_FILENAME};EFI/Linux/${UKI_FILENAME}" + +do_uki[depends] += " \ + systemd-boot:do_deploy \ + virtual/kernel:do_deploy \ + " +do_uki[depends] += "${@ '${INITRAMFS_IMAGE}:do_image_complete' if d.getVar('INITRAMFS_IMAGE') else ''}" + +# ensure that the build directory is empty everytime we generate a newly-created uki +do_uki[cleandirs] = "${B}" +# influence the build directory at the start of the builds +do_uki[dirs] = "${B}" + +# we want to allow specifying files in SRC_URI, such as for signing the UKI +python () { + d.delVarFlag("do_fetch","noexec") + d.delVarFlag("do_unpack","noexec") +} + +# main task +python do_uki() { + import glob + import bb.process + + # Construct the ukify command + ukify_cmd = d.getVar('UKIFY_CMD') + + deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE') + + # initrd + initramfs_image = "%s" % (d.getVar('INITRD_ARCHIVE')) + ukify_cmd += " --initrd=%s" % os.path.join(deploy_dir_image, initramfs_image) + + deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE') + + # Kernel + if d.getVar('KERNEL_IMAGETYPE'): + kernel = "%s/%s" % (deploy_dir_image, d.getVar('KERNEL_IMAGETYPE')) + kernel_version = d.getVar('KERNEL_VERSION') + if not os.path.exists(kernel): + bb.fatal(f"ERROR: cannot find {kernel}.") + + ukify_cmd += " --linux=%s --uname %s" % (kernel, kernel_version) + else: + bb.fatal("ERROR - Required argument: KERNEL") + + # Command line + cmdline = d.getVar('UKI_CMDLINE') + if cmdline: + ukify_cmd += " --cmdline='%s'" % cmdline + + # Architecture + target_arch = d.getVar('EFI_ARCH') + if target_arch: + ukify_cmd += " --efi-arch %s" % target_arch + + # systemd stubs from deploy + stub = "%s/linux%s.efi.stub" % (d.getVar('DEPLOY_DIR_IMAGE'), target_arch) + if not os.path.exists(stub): + bb.fatal(f"ERROR: cannot find {stub}.") + ukify_cmd += " --stub %s" % stub + + # Add option for dtb + if d.getVar('KERNEL_DEVICETREE'): + for dtb in d.getVar('KERNEL_DEVICETREE').split(): + dtb_path = "%s/%s" % (deploy_dir_image, dtb) + if not os.path.exists(dtb_path): + bb.fatal(f"ERROR: cannot find {dtb_path}.") + ukify_cmd += " --devicetree %s" % dtb_path + + # Add option to pass a config file the UKI + if os.path.exists(d.getVar('UKI_CONFIG_FILE')): + ukify_cmd += " --config=%s" % d.getVar('UKI_CONFIG_FILE') + + # Tools + ukify_cmd += " --tools=%s%s/lib/systemd/tools" % (d.getVar("RECIPE_SYSROOT_NATIVE"), d.getVar("prefix")) + + # TODO: tpm2 measure for secure boot, depends on systemd-native and TPM tooling + # needed in systemd > 254 to fulfill ConditionSecurity=measured-uki + # Requires TPM device on build host, thus not supported at build time. + #ukify_cmd += " --measure" + + # Custom UKI name + output = " --output=%s/%s" % (d.getVar('DEPLOY_DIR_IMAGE'), d.getVar('UKI_FILENAME')) + ukify_cmd += " %s" % output + + # Run the ukify command + bb.process.run(ukify_cmd, shell=True) +} +addtask uki after do_rootfs before do_deploy do_image_complete do_image_wic